Episode177

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 177 - For Friday November 27th, 2009

  • We are growing mustaches for Movember! Goto http://pauldotcom.com/mo for more information and to make donations to our team that will benefit cancer research.
  • Sign up to get a free Website HealthCheck report from Cenzic to see how you can protect your Website from hacker attacks. As part of the Cenzic HealthCheck program, Cenzic will scan your Websites for “holes” that hackers can exploit and provide you with a detailed encrypted PDF report to you in 2-4 businness days. The report will contain:
  • An assessment summary of your Website’s “holes” (security flaws) and easy-to-read severity charts,
  • A prioritized listing of your most vulnerable Website locations (applications), and
  • A description of the security flaws and directions on ways to eliminate them.
For more information, please visit http://www.cenzic.com/2009HClaunch_PaulDotCom
  • Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "PaulDotCom" at checkout to save 20% on all security book titles!
  • Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
  • QuahogCon Call for Papers - QuahogCon is a Southern New England conference for the hacker culture in all forms, and is looking for presentations!

Episode Media

mp3 pt 1

mp3 pt 2

Special Guest & SECURITY ROCK STAR: Christofer Hoff warns us: "Don’t Hassle the Hoff"

Hoff has over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management.

Prior to his current position, he served as Crossbeam Systems' chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy and led the security engineering team of one of the first global managed network security service providers. Hoff is a prolific blogger and sought after speaker at leading security conferences.

Hoff is currently holds the following credentials: CISSP, CISA, CISM, NSA IAM Christofer Hoff’s Specialties:

Information/Operational Risk Management Expertise with a consultative approach to enlightened governance and business-aligned security solutions. Network security, engineering and architecture with a focus on emerging technologies and disruptive innovation such as virtualization and cloud computing.


Questions:

  1. How did you get your start in information security?
  2. Tell us about you blog, how did you get started in blogging and what kind of things did you write about early on?
  3. Why did you change the name to Rational Survivability?
  4. Isn't Cloud Computing just Software as a Service anyway, so what is the big deal?
  5. Has "cloud security" made people realize that they really do need to classify their data and determine what is most critical to their organizations and make the appropriate decisions?
  6. In our capitalistic society, where everyone is trying to cut costs and increase profits, doesn't cloud security just get in the way? In other words, does the cloud help businesses save money and be more profitable to a point where people ignore security?
  7. MY cloud is behind a firewall, so I'm safe, right?
  8. Why are so many InfoSec folks into martial arts (are we sparring to avoid beating on end users?)
  9. In a sense, if my cloud is separated from your cloud by software that is implementing access control, isn't that just like two subnets separated at layer 2 by a VLAN?
  10. I've heard that in a shared virtual hosting environment that you can sometimes read the memory of your neighbors virtual machine, is this true? What technologies, if any, exist to prevent this?
  11. Cloud Security? An oxymoron, or something that can be achieved?
  12. What can we reasonably use the could for? How do we determine risk?
  13. How does one pentest the cloud?

Tech Segment: Avoiding end users

Stories For Discussion

  1. The Metasploit, Core, CANVAS, and Nessus Mis-Information Article of the year - [PaulDotCom] - This article is just full of bunk, FUd, and BS. "Alternative penetration testing systems such as Core Security Technologies' Core Impact and Immunity's Canvas are arguably easier to use, but are too expensive for many smaller organizations to buy and don't offer the same range of exploits." Not true, CANVAS is not THAT expensive (I know smaller orgs that use it), and Core will license per engagement. Also, the broad statement about exploit coverage across frameworks is just that, broad and show poor research, if he did any at all. "Nessus is now only available for commercial use with a subscription, and lacks the community contribution that Metasploit currently enjoys." Case in point, he has no idea about the HomeFeed and the fact that the NASL scripts are open for all to view and modify. "Rapid7's plan is to be able to feed the results of a penetration test carried out using Metasploit back in to NeXpose, which will then use that information to adjust the remediation actions that it recommends." Thats an interesting approach, however I question the value of taking your pen test results and shoving them back into your vulnerability management program. Shouldn't you just fix the things that are reported broken from a pen test? And aren't those usually policy and procedural? "Some of our customers certainly had concerns that the software was not officially supported or quality checked. Of course in practice HD (Moore) reviews the quality of all the Metasploit code anyway, but we may charge for support in the future." We all know that some of Metasploit's features are frequently broken. In fact, I'm told that right now, the reverse connection SSL feature does not work. John and I frequantly have converstaions on how we keep old versions of Metasploit around because a certain feature we realy liked only works in that version. I know HD and team are working to get things straightened out, but I believe thats going to take time, and be a balancing act between functionality and new features that I am confident they can strike in the coming months/years.
  2. "You hacked my master, now we fight! Whaaaaaaaa!" - [PaulDotCom] - The abbot of the Shaolin temple clearly has a better grasp on security than most company executives as he is quoted saying, "We all know Shaolin Temple has kung fu," Shi was quoted as saying. "Now there is kung fu on the Internet too, we were hacked three times in a row." How very zen, he did not say, "omg, we weren't hacked", or "those damn script kiddies". He said, "other people got kung fu too". <insert gong sound here>
  3. Security People Are Crippled Avangers - Yes, there is a kung fu movie called "Crippled Avengers". And yes, it does involve crippled people kicking butt, and no Im not joking! There is an evil master whose son ends up being a cripple, having him arms cut off. Make a long story short, they go around making everyone else a cripple. They blind one person, cut off another ones legs, make one person stupid, and make a forth guy deaf and mute. The four crippled people go out into the woods and train with a master, where they learn to overcome their handicaps and make usage of their strengths. The legless man gets iron legs and kicks people in the chest, killing them instantly. The blind man learns to use his hearing to detect threats and wipe them out with his staff. The deaf and mute guy wears mirrors on his necklace and wrists to detect oncoming opponents. The stupid guy just runs around and acts stupid, doing all kinds of flips and stuff (not sure how this helps them take revenge, but is fun to watch). Sometimes I feel security people are like cripples, we're constantly being put in handicapped sitations. When a project gets approved because its secure because its using SSL, whack its like getting our legs cut off. When we have to protect a web application that was written in PHP by people who learned from reading a book, its like fighting with no arms (and maybe even no legs). BUT STILL, we go on to fight the good fight and learn to overcome our handicaps and make the world a better place.
  4. simple search for vulnerable hosts??? - [The Intern] - SHODAN lets you find servers/ routers/ etc. by using the simple search bar. Credit to HD and FX who tweeted about this.
  5. Now that's tracking your package - [Larry] - I'd be interested to see what the actual technology is behind this, and well, I thought that doing this was illegal - such as having active electronics in your packages.
  6. 9/11 Pager messages - [Larry] - An interesting commotion of pager messages post WTC attacks showing all sort os valuable information, on people looking for family, downed servers, and even troop deployment. We'll have more on pager sniffing very soon.
  7. Shodan - [Larry] - Wow, this is an awesome "google" for systems, not the "contents". A few searches will reveal systems to compromise. Of course this can be used for evil, but what about using it for good during testing for netblocks that you are authorized to test. This one is great during the information gathering stages, as it does not make contact with the hosts. I'd expect a tech segment on this soon, assuming that it doesn't go away.
  8. Uhhh, how is this a bug in IE? - [Larry] - I don't get it. How is storing medtadata in PDFs a bug in IE? Of course researchers are claiming that this information can be used for recon. No fooling? Really?
  9. [1] - [Larry] - More on the reckon thread. I've been thinking some about social media, and how I can better leverage the information there during information gathering. Bruce has a great breakdown of the types of data and how they can be used.
  10. Welcome to prison beeeee-otch! - [Mick] - spam? you go to jail! for reals! 4 years!!  ;-)
  11. New Opera is a browser in a server all in one! - [Mick] - While this is a very interesting, I'm going to bet money that a whole new sort of attacks are going to go live. Anyone want to take this bet?
  12. Shellcode as plain English text? - [Mick] - You can make shellcode that looks like plain English? Oh my this could be the final nail in traditional anti-virus's coffin!

Other Stories Of Interest

Class 3 Zombie outbreak sim - [Mick] - This is so full of win!

Intern Challenge e-mail results